Slashdot Mirror
A Linux Distro From the US Department of Defense
donadony writes "The Lightweight Portable Security distribution was created by the Software Protection Initiative under the direction of the Air Force Research Laboratory and the U.S. Department Of Defense. The idea behind it is that government workers can use a CD-ROM or USB stick to boot into a tamper proof, pristine desktop when using insecure computers such as those available in hotels or a worker's own home. The environment that it offers should be largely resistant to Internet-borne security threats such as viruses and spyware, particularly when launched from read-only media such as a CDROM. The LPS system does not mount the hard drive of the host machine, so leaves no trace of the user's activities behind."
What about the fingerprints? Screen ghosts? Not to mention all that quantum electron crumbs...
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
Seems like something child pornographers would be interested in. Among other people.
I wonder if it includes a copy of CoFEE standard. They have *my* attention.
You're telling me hotel computers might be insecure? Information I could have used before now...
This would still be vulnerable to malware loaded by firmware and hardware. Not much of a vector and shouldn't have much effect on the use cases they're talking about too much.
There is a review of LPS over at DistroWatch:
http://distrowatch.com/weekly.php?issue=20110704#feature
Surely all those Chinese assembled PC have a key logger, or other back door, built into the BIOS power on self test? If I was in charge of a country that assembled most of the world's computers, I'd make sure that such a thing was in place.
If the computer is left on the RAM can still leave traces behind.
I don't see how this is any different than any other live CD though.
^^vv<><>BA
Yeah, this was a good idea... I actually have Ubuntu installed on a portable USB drive -- It's faster than installing off a CD and it remembers saved data, bookmarks & installed progs (instead of a clean boot image).
However, I don't think for a moment that this prevents an infected system BIOS/CMOS from infecting the MBR of the flash drive, or that even booting off of a CD-R will be able to keep me safe if the hardware can't be trusted... I mean, If you want security, why not give them a personal mobile pocket computer instead? Everyone knows that physical access = game over; If an attacker's gained physical access you've just been pwned. Not to mention how easy it is to place a low-tech internal key-logger in todays machines...
Unless the "vanilla PC" you're booting from has a hardware keylogger. Then well, duh.
I want to delete my account but Slashdot doesn't allow it.
Are hardware loggers (keyloggers exist, and screenloggers do not seem too far out there -at least in my fanciful imagination) and other interposers not part of their threat model or do they actually have a way to combat that?
If the former then this does not seem to be a very useful security system. If the latter then I'm very interested in how (Trusted Computing anyone?)
hm. great idea, but doesn't look easy for the non-technical folk to get it up and running. imo, they're the ones that really need this type of product when they travel to hotels and whatnot.
This is a research account for studying online commenting so we can create tools to improve moderation.
It even includes monitoring software that send all you do to the US government for analysis, it ensures you aren't doing anything nasty! 100% secure!
Oh shit! How did I miss this gem here?
LPS differs from traditional operating systems in that it isn't continually patched.
BRILLIANT! That means that any flaws in your OS or applications (web browser) WON'T BE PATCHED -- Get a clue people, this is not made to be more secure, this is just plain asinine. I'm afraid to discover any other steps they've taken to "improve security" or "harden" the systems -- LMAO!
Now if only their Websites were this secure...... *coughAnonymouscough*
Though really, the imprint is left on the network, even if it's encrypted. and something might be left over BIOS, mechanical keylogger... There's probably a lot of ways these guys could be found out, but it could be a good thing that they're at least using SSH and a portable OS, it shows they're TRYING.
They'll probably hand out the first batch to people like Mr. Anthony Weiner just to avoid that kind of embarrassment, if not for national security...
And its lixes suck, they suck GOAT PENISES in AFPAKISTRAND!
Further and More, yomama is FATTTTT!
UNITE with the Campaign for a Free Internet because today, our future begins with tomorrow!
Except with some useful proprietary applications with GUIs for encryption and making it difficult to have persistent data.
I guess the kernel has all proprietary divers in it so its more likely just work and support hardware but that also comes with the slightest chance that its just an excuse to get a back-door in there (thought if there is one; the other end does not care what you are doing).
Have we already forgotten about using special kernels after POST get read data from air cooled memory chips that retain their contents after a power off already? Not that it matters, but saying there is "no trace" can be a tad incorrect :)
Then all you would be praising it as a great idea!
The ability to boot from removable media in the first place?
Most places I've been (hotels, cafes etc) have that ability completely locked out.
reminds one of previous failed life0cidal empires.
regards to rep. Sanders for his courage & valor in representing us, telling the truth, doing his job.
But can it run America's Army?
WARNING: Smartphones have side effects--most of them undocumented.
Call me paranoid, but why would they make something like this and let people have it? The government would rather identify everyone online. Am I right?
But what if this phones home? Has any security(tm) professional tested the network traffic this produces under a VM or through a firewall? (BTW posting anonymously my captcha is "vibrator")
call it Dod-ian
Wait...so DARPA bought KNOPPIX?
It doesn't get patches because it runs from read-only media; the approved version is updated when necessary to address security concerns, but you have to use new read only media, rather than patching the existing one, that being the nature of "read-only".
Qoute:The idea behind it is that government workers can use a CD-ROM or USB stick to boot into a tamper proof, pristine desktop
Reply: And the government probably spent millions developing the OS when we just download it for free.
I've been working in the kiosk industry for about 8 years now. The current company I work for has around 1000 kiosks in hotels, airports, business centers, etc as well as having around 20,000 customers.
I can tell you that 99% of hotel's are setup to NOT allow USB or CDRom booting for the very obvious reasons. Most are setup as well to only read CDROM and read/write from USB and also have a Bios password set to disable the ability to execute from a different device.
I suspect this project will die off pretty quickly or fail soon if the people involved with the idea didn't even do some simple research or know about this type of information. Sure it would be a great use for their home computers but outside of that the CD's will just be one more thing to fall into the hands of people who will abuse it and become yet another security hole.
If this catches on, and people start using it for their normal desktop, we're in serious danger of not giving the key VDI vendors billions and billions of dollars to "revolutionize" our desktop experience!! Isn't somebody going to, like, issue a petition or organize a protest or something? (Oh wait ... i see the paid lobbyists cronies of the beltway IT hegemony circling already -- never mind).
"Ahh! I see you're in that indeterminate Schrodinger state where - oh, uh
It would really save some annons a lot of trouble if this distro would just upload all of the confidential files to pirate bay.
Think how much time we would save waiting for the right person with the right access, or the right system to be vulnerable and get exploited. Its all going up there eventually anyway, so why not skip the middle man? I suppose thats too much efficiency to hope for.
"I opened my eyes, and everything went dark again"
So what about locked BIOSs and the like, where booting off of a CD/USB Drive is either not enabled or isn't first I mean it would work in some situations but in other situations you would be forced to use whatever you have in front of you. Of course, I'm thinking the computers would have competent IT workers...
Dude. That's what housekeeping is for...
If Mr. Edison had thought smarter he wouldn't sweat as much. --Nikola Tesla
ya mean how they last worked on encryption and secretly backdoored it...ya trust in bankruptcy
Yes, Linux has superior performance, hardware support, scalability, but does the military need that? Wouldn't the military be better suited by an intelligently designed operating system, with well written and documented code, like Free or Open BSD?
China is using FreeBSD as its operating system. This fits in the thinking of the Chinese government being smarter than the US government.
Without a trusted boot there is no way to known whether a layer lower then the operating system is not interfering. As such, if the bios, or any other firmware (e.g. network card) is malicious, you're doomed.
Anything that gives you a false sense of security when you have little or none is worse than knowing up-front that you have no security. As long as the PC itself isn't secure (keyloggers, rootkits, or any other type of snoopage), you shouldn't touch it if you actually care.
Unfortunately the vast majority of DoD sites only are approved to work in IE, which doesn't run natively in Linux..
Too bad it does work with Navy Systems. CAC access with this has failed in the past.
So now anyone can download everything they need to access government computers in one easy step! I'm sure anonymous, and the Chinese government appreciate that!
Cheers!
(1) device support. For example. LiveCD does not support certain wireless adapters. (2) virtualization. Can you be sure you are not booting into a VM?
Feeling secure firing up a clean desktop?
Might want to check the back of the PC or even better bring your own keyboard.
The solution is better than nothing but I still wouldn't trust Internet cafe's --> http://www.keelog.com/
classic sand-boxing is good, pretty efficient, but of course the user can leak information as he "surfs" on the CDROM, but at least old information is restricted.
I've read that LPS does not mount any hard disk on the local system. However, it seems still to be possible to mount a disk by getting root privileges and running commands such as mount, fdisk, etc... My question is: what would happen if we visit a web page with malware able to exploit the stack and get a root session?
Builtin DoD Backdoors.
I'd like to see them try and run a secure session on a computer that I'd prepped. Even with only remote access (e.g. via a trojan.)
If the (slashdot) report is correct, then this is worrying.
The idea that they would, in the time of 3g and WLAN, somebody like a employee of the DOD would try to use any hotel computer and make it magically safe by booting some OS.
Using an hotel computer or any internet cafe computer is like putting a malicous roommaid onto steroids.
There is an infinite number of people which had infinite time to place keyloggers, bug the monitor cable etc.
doing nothing (i.e. abstinence) is safer than sex with a condom, but sex with a condom is safer than doing nothing about protection
I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
though we lambaste TSA-type security theater with good reason, I get the impression that the feds are at least more serious about security for their own systems/installations
I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
Why is this an item? That distro has been around for a while (at least a year). I never actually used the software but it came in handy as a counter argument for "Linux isn't secure" trolling.
"I'm not much interested in interoperability. I want substitutability. I want to be able to throw your software out."
For instance, what about hardware keyloggers?
Sounds like a good distro to use for on-line banking - assuming your bank doesn't require flash running in IE6, which in the US, is a 50-50 proposition.
This DISTRO sounds like its made for safer porn surfing ?
WikiLeaks News 2014 In a stunning revelation Anonymous found information indicating the Dept. of Defense gathered information from its employees. Last year the DOD was outed by WikiLeaks News as having included a key logger on the Lightweight Portable Security Linux distribution, a live-cd mandated for all DOD employees for use on non-DOD PCs. Now our sources discovered keystroke records from over a million sessions on DOD computers. Another piece of software on the live CD transferred these sessions to DOD servers while the CD were used. DOD officials were unavailable for comment.
Here will be an old abusing of God's patience and the king's English.
Failed solution because any kiosk like environment typically has no media ports available, and when they do, usually has them BIOS locked down to not allow booting from them.
I never said the OS is a bad thing. Please don't put words in my mouth.
I note that PopeRatzo never said *you* said the OS was a bad thing.
My actual intent was that it seems like something I would want to be used for official purposes only.
And that is what the objection is to: The idea that things ought to be restricted in their use because they can also be used by bad people. Just about anything can be used for good or ill; if you attempt to control anything that might potentially be misused or abused, there's nothing left.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
You can download this on Alllinuxinfo.com the link is DOD Lightweight Portable Security distribution Mirror at the bottom
I'm ignorant. And old. Back in the day I remember that a BIOS could be compromised by a virus. Is that still the case with newer computers?
"Crude and slow, clansman. Your attack was no better than that of a clumsy child."
Too bad not everybody can easily get around it.
Think crop dusters. They have an airplane, and to put a power takeoff from the engine to the spray pump would mean FAA recertification of the entire powertrain. Answer: Use a ram air turbine, a windmill that sticks out into the airstream to power the pump. No modification to the airplane itself, no recertification necessary.
...have seeded a copy!
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
If the computer's keyboard records keystrokes, or the computer has hardware installed to record screenshots, it's unclear how running secure software on that hardware would help much.
They obviously wanted to replicate the Windows look, but went a bit too far.
Also some wooden transportation vehicle shaped like a horse comes to mind. Don't know why...
Didn't the NSA produce a Linux distribution before they got slapped down for being anti-competitive?
/* TODO: Spawn child process, interest child in technology, have child write a new sig */
If you read spi.dod.mil, you'll see two editions - LPS-Public for safer, smartcard-enabled Internet browsing and LPS-Remote Access for more secure remote enterprise network access (telework). The latter has far greater security technology AND is custom built for office (IP address) AND can only connect to only that smartcard-authenticated network.
I tried both versions, on Virtualbox. While the 'normal' one booted okay, the 'de luxe' just stays with a black screen.
Nope, the checksum is even okay. So another downlaod won't cut it.
Why??
Per spi.dod.mil, LPS has main two editions - LPS-Public for safer, smartcard-enabled browsing and LPS-Remote Access for remote enterprise access (telework) of federal networks. Public is free; LPS-Remote Access is custom built for each group per need (free to DoD, $10k others).
Reading the product sheets on spi.dod.mil, the Public edition's security is far less than the Remote Access edition - the latter has a firewall, can connect to only that enterprise IP address, and 'other security features" which would hint that they made all those 'obvious' fixes like no root, no shells, SELinux, locking stuff down, monitoring, etc.. It seems the Public is meant to be a more usable, protective device for Internet surfing (and for using smartcards) but the products true value lies telework for very sensitive enterprise (and thus have far greater security).